Lately, we saw a big increase in spammers trying to abuse the newsletter and account creation features in Magento. This issue both effects Magento 1 and 2. And it is surprisingly easy to abuse. A spammer can simply try a curl to the newsletter subscription endpoint in Magento with an email address take he would like to spam to, and the victim will be subscribed to the newsletter of that shop. This wouldn’t be a big problem on its own because people can just cancel the subscription, but some shop implementations offer the option to append some text to the subscription. Thus, allowing the spammer to append his own message to the confirmation. Resulting in the victim receiving an email like this:
With this release, we started actively monitoring the activity of these spammers on Hypernode, permanently blocking any clearly malicious IPs.
As a shop owner or technical party, you can also take steps to prevent spammers from abusing your site. These steps are explained in the following stack-exchange article. Our recommendation is also to make sure that there is a confirmation step before accepting a newsletter subscription or a new account. Either by enabling a captcha or having an extra confirmation step.
Both the Blackfire packages were updated to the latest release in this version;
- blackfire-php to version 1.26.3
- blackfire-agent to version 1.27.0
See the Blackfire agent changelogs for more details on these changes.